background

Recently, I often encountered problems caused by the package version. I used package-locke. json to bind the package version, but it always caused some problems or conflicts.

Json in the project uses the framework default, package version rules basically start with ^, so every time NPM install will install the latest package according to the version rules, which will inevitably lead to dependency package compatibility problems.

Ignoring the lock file will lead to automatic package update problems. Ignoring the lock file will lead to conflicts or unexpected errors. What to do?

Semantic versioning

The version number consists of major version number, minor version number, and patch version number. Change different version numbers to represent different meanings

  • Major: The new architecture adjustment is not compatible with the previous version
  • Minor: A new function is added and compatible with an earlier version
  • Patch version: Fixes bugs and is compatible with older versions
 "dependencies": {
    "signale": "1.4.0".// Fix the version number
    "figlet": "*".// Any version (>=0.0.0)
      
    // Match major version (>=16.0.0 <17.0.0)
    "react": "16.x"."react": "^ 16.3.0".// Match major version and minor version (>=16.3.0 <16.4.0)
    "react-dom": "16.3.x"."react-dom": "^ ~ 16.3.0"
}
Copy the code

A major version number of 0 is considered an unstable version, which is different from the above:

  • Both major and minor versions are 0

    • ^ 0.0. Z,~ 0.0. ZAre treated as fixed versions and do not change when installing dependencies.

  • The major version number is 0

    • ^0.y.z behaves the same as ~0.y.z and only keeps the revision number as the latest version.

The 1.0.0 version number is used to define the public API. Release 1.0.0 when your software is released to a formal environment or has a stable API. So, when you decide to release an official version of the NPM package externally, mark it as version 1.0.0.

package-lock.json

origin

NPM install creates a package-lock.json file starting with NPM5.0.0, and the file size is KB/MB. Json dependencies are saved, corresponding to node_modules, which are used to lock the source and version of the package, so that other partners can keep the same dependencies when installing. The following figure shows part of the mapping.

Attributes that

  • Version The package is currently installed innode_modulesThe version in
  • Resolved installation Source
  • Integrity packagehashValue, based onSubresource IntegrityTo verify whether the installed software package has been changed or invalid
  • Requires a dependency, and requires a dependencypackage.jsondependenciesHas the same dependencies
  • Dependencies is an object, an object andnode_modulesThe package structure in

Differences between different versions

5.0.x has added version locking, where NPM install relies entirely on package-lock.json for installation each time, and does not install new dependencies even if package.json is modified. **so new problems appear, if I just want to update, no solution. Delete package-lock.json and reinstall it, thus losing the meaning of lock.

In versions after 5.1.0, modifying package.json will update package-lock.json. NPM install will also be updated to package-lock.json if there are dependent updates

NPM ci will install packages based on package-lock.json

Node version and NPM version

Node has its own NPM, although it can be upgraded, but generally uses its own VERSION

NPM Install Common Problems

Encountered some installation errors and other problems, usually search to a few commands, use the solution did not pay attention to, followed by similar problems.

An error message is displayed if the node version is different

For example, if node8.0 is installed, switch to Node10.0 and run the version problem, either switch to node_modules or delete node_modules

Integrity checksum failed when using SHA512: wanted SHA512 XXX

Usually remove package-lock.json and reload, or use CNPM (lock file is not valid for CNPM)

This defeats the purpose of locking the version and installs a dependency package with an indeterminate version

It is obvious from the above two figures that the error is caused by sha512 inconsistency

Solution: In order not to affect package-lock.json to lock the versions of other packages, first use NPM install element@version -s to install the package separately, and then run NPM CI to install other dependent packages

Manually updating package.json installs an unspecified version

For example, if “umi”: “^3.0.10” is manually changed to “umi”: “^3.0.11”, the current minor version of the latest 3.2.27 is actually installed, because the semantics are changed to install versions lower than 4.0.0, unless “umi”: “3.0.11” will be installed

Package-lock. json file is not installed by NPM install

For versions after 5.1.x, NPM install always checks for dependency updates first, and if so, installs the update and writes package-lock.json.

This can happen even if your project has versions fixed directly, but dependencies cannot be fixed.

If you only want to install using package-lock.json without updating dependencies, NPM uses 5.7.1 and above, using NPM CI

conclusion

  • Ignore and delete operations are not recommended

  • NPM 5.7.1 or later is recommended

  • The installation package habit changed from NPM install to NPM CI

    • Need lock file is not availablepackage-lock.jsoncomplains

  • NPM install packageName

The resources

  1. NPM install docs.npmjs.com/cli/v6/comm…
  2. NPM install implementation principle of www.zhihu.com/question/66…
  3. npm ci www.npmjs.cn/cli/ci/
  4. You don’t know the NPM zhuanlan.zhihu.com/p/102546577
  5. Analyze the NPM package management mechanism blog.csdn.net/azl39798585…
  6. NPM module installation mechanism www.ruanyifeng.com/blog/2016/0…
  7. Discussion of ignoring package-lock github.com/npm/npm/iss…